Hello,
I have come across people who know people who can easily crack into facebook and gmail accounts. There are computer courses run by some reputed colleges in Mumbai where hacking (sic) is taught as a subject and those students can crack others' accounts. They don't need access to the other users' machines. Simply give them a user id and they crack it. They do it as ethical testing for friends.
How much of this is actually true and how easy is it to crack gmail and facebook accounts without the user's machine being involved?
On 13-Jul-2010, at 7:19 AM, Rony wrote:
Hello,
I have come across people who know people who can easily crack into facebook and gmail accounts. There are computer courses run by some reputed colleges in Mumbai where hacking (sic) is taught as a subject and those students can crack others' accounts. They don't need access to the other users' machines. Simply give them a user id and they crack it. They do it as ethical testing for friends.
How much of this is actually true and how easy is it to crack gmail and facebook accounts without the user's machine being involved?
Gmail security is very strong. Without having the password, you can not get into gmail. At best, it would be social engineering - getting the password by trying out standard passwords like name (surprising how many people do that), birth dates, etc. The other way is pfishing. A third way is to use the "forgot password" option, provided he has access to the alternate email id or knows the questions / answers saved as a part of the security setup.
About FB, i do not know.
Why not ask the students what they can do ? Give them your email id and see if they get through.
-- Regards,
Rony.
GNU/Linux ! No Viruses No Spyware Only Freedom.
On Tuesday 13 July 2010 07:19:22 Rony wrote:
How much of this is actually true and how easy is it to crack gmail and facebook accounts without the user's machine being involved?
I would suggest you take this discussion offlist. Cracking is criminal activity and that should not be discussed here.
On Tue, Jul 13, 2010 at 12:44 PM, Kenneth Gonsalves lawgon@au-kbc.orgwrote:
On Tuesday 13 July 2010 07:19:22 Rony wrote:
How much of this is actually true and how easy is it to crack gmail and facebook accounts without the user's machine being involved?
I would suggest you take this discussion offlist. Cracking is criminal activity and that should not be discussed here.
Beg to disagree. OP is not asking about methods and techniques for cracking. He is IMHO, asking about the likelihood of such attacks compromising the accounts without need of access to the said persons (victims?) machine. This can very well lead to an estimation of whether our own(as in members of this list) security measures should be stepped up.
Regards, Easwar Registered Linux user #442065
On Tue, Jul 13, 2010 at 3:58 AM, Easwar Hariharan meindian523@gmail.com wrote:
On Tue, Jul 13, 2010 at 12:44 PM, Kenneth Gonsalves lawgon@au-kbc.orgwrote:
On Tuesday 13 July 2010 07:19:22 Rony wrote:
How much of this is actually true and how easy is it to crack gmail and facebook accounts without the user's machine being involved?
I would suggest you take this discussion offlist. Cracking is criminal activity and that should not be discussed here.
Beg to disagree. OP is not asking about methods and techniques for cracking. He is IMHO, asking about the likelihood of such attacks compromising the accounts without need of access to the said persons (victims?) machine. This can very well lead to an estimation of whether our own(as in members of this list) security measures should be stepped up.
Regards, Easwar Registered Linux user #442065
+1. The list has a weird practice of sending membership passwords in plaintext unless turned off.
Regards, Mohan S N
2010/7/13 Mohan Nayaka mohansn@gmail.com:
The list has a weird practice of sending membership passwords in plaintext unless turned off.
That's true of any Mailman powered mailing list. Mailman warns you about this behaviour while signing up.
Anurag
On Tue, Jul 13, 2010 at 1:47 PM, Mohan Nayaka mohansn@gmail.com wrote:
+1. The list has a weird practice of sending membership passwords in plaintext unless turned off.
It sends it only to the email id you have registered with the mailing list. The presumption is that you have not compromised your email account; barring rogue admins at service provider it is quite safe.
If it is sent encrypted then how does one decrypt it?
-- Arun Khan
On Tuesday 13 July 2010 14:29:09 Arun Khan wrote:
If it is sent encrypted then how does one decrypt it?
password reminder is actually rather silly as now a days every one has a 'lost your password' link (including mailman). And no one puts in a password when subscribing anyway - so what mailman is reminding one of is the automatically generated password.
On Tue, Jul 13, 2010 at 3:03 PM, Kenneth Gonsalves lawgon@au-kbc.org wrote:
On Tuesday 13 July 2010 14:29:09 Arun Khan wrote:
If it is sent encrypted then how does one decrypt it?
password reminder is actually rather silly as now a days every one has a 'lost your password' link (including mailman). And no one puts in a password when subscribing anyway - so what mailman is reminding one of is the automatically generated password.
The bigger point is that even the "lost your password" links send the password in text and the point being made was that the passwords are sent in clear text to the user's mailbox - does not matter whether it is Maiman or any other zillion services on the 'Net.
-- Arun Khan
On Wednesday 14 July 2010 11:10:11 Arun Khan wrote:
password reminder is actually rather silly as now a days every one has a 'lost your password' link (including mailman). And no one puts in a password when subscribing anyway - so what mailman is reminding one of is the automatically generated password.
The bigger point is that even the "lost your password" links send the password in text and the point being made was that the passwords are sent in clear text to the user's mailbox - does not matter whether it is Maiman or any other zillion services on the 'Net.
any sensible 'lost your password' function will send a link to a web page where you can enter a new password. That way, the site never knows your password. Mailman does not follow this for the simple reason that mailing list passwords are trivial passwords - even if they are cracked, no damage is done.
2010/7/14 Kenneth Gonsalves lawgon@au-kbc.org:
any sensible 'lost your password' function will send a link to a web page where you can enter a new password. That way, the site never knows your password. Mailman does not follow this for the simple reason that mailing list passwords are trivial passwords - even if they are cracked, no damage is done.
Also, Mailman stores the membership password in plaintext; which is why Mailman asks your to use a trivial password for membership.
Anurag
On Wed, Jul 14, 2010 at 11:26 AM, Kenneth Gonsalves lawgon@au-kbc.org wrote:
On Wednesday 14 July 2010 11:10:11 Arun Khan wrote:
password reminder is actually rather silly as now a days every one has a 'lost your password' link (including mailman). And no one puts in a password when subscribing anyway - so what mailman is reminding one of is the automatically generated password.
The bigger point is that even the "lost your password" links send the password in text and the point being made was that the passwords are sent in clear text to the user's mailbox - does not matter whether it is Maiman or any other zillion services on the 'Net.
any sensible 'lost your password' function will send a link to a web page where you can enter a new password. That way, the site never knows your password. Mailman does not follow this for the simple reason that mailing list passwords are trivial passwords - even if they are cracked, no damage is done.
It still comes into your email box and if that is compromised everything else is moot. IMO, no different from clear text passwords being sent to your mail box.
-- Arun Khan
On Tue, Jul 13, 2010 at 1:28 PM, Easwar Hariharan meindian523@gmail.comwrote:
On Tue, Jul 13, 2010 at 12:44 PM, Kenneth Gonsalves <lawgon@au-kbc.org
wrote:
On Tuesday 13 July 2010 07:19:22 Rony wrote:
How much of this is actually true
I would suggest you take this discussion offlist.
Beg to disagree. OP is not asking about methods and techniques for cracking.
+1
On Tuesday 13 July 2010 12:44 PM, Kenneth Gonsalves wrote:
On Tuesday 13 July 2010 07:19:22 Rony wrote:
How much of this is actually true and how easy is it to crack gmail and facebook accounts without the user's machine being involved?
I would suggest you take this discussion offlist. Cracking is criminal activity and that should not be discussed here.
Discussing security issues is not criminal.
On Tuesday 13 July 2010 21:38:55 Rony wrote:
On Tuesday 13 July 2010 12:44 PM, Kenneth Gonsalves wrote:
On Tuesday 13 July 2010 07:19:22 Rony wrote:
How much of this is actually true and how easy is it to crack gmail and facebook accounts without the user's machine being involved?
I would suggest you take this discussion offlist. Cracking is criminal activity and that should not be discussed here.
Discussing security issues is not criminal.
Dont be so sure. Cirumvention of preventive measures, aka "hacking" including posting of exploits is a criminal offence.
Recently someone was forced to withdraw a research paper at a conference (in Europe afair) that disclosed a vulnerability. If you disclose a vulnerability quite obviously you have to post an exploit, so that others can verify your tall claims and close the hole. But the product vendor choose to hide their head in the sand and served a cease and detest notice.
I wonder why so many off-topic posts. If you don't have anything useful to post for op, don't post! Please!
// Sorry for *this* offtopic post.
Thanks. With regards, Shirish Padalkar
On Tue, Jul 13, 2010 at 10:20 PM, jtd jtd@mtnl.net.in wrote:
On Tuesday 13 July 2010 21:38:55 Rony wrote:
On Tuesday 13 July 2010 12:44 PM, Kenneth Gonsalves wrote:
On Tuesday 13 July 2010 07:19:22 Rony wrote:
How much of this is actually true and how easy is it to crack gmail and facebook accounts without the user's machine being involved?
I would suggest you take this discussion offlist. Cracking is criminal activity and that should not be discussed here.
Discussing security issues is not criminal.
Dont be so sure. Cirumvention of preventive measures, aka "hacking" including posting of exploits is a criminal offence.
Recently someone was forced to withdraw a research paper at a conference (in Europe afair) that disclosed a vulnerability. If you disclose a vulnerability quite obviously you have to post an exploit, so that others can verify your tall claims and close the hole. But the product vendor choose to hide their head in the sand and served a cease and detest notice.
-- Rgds JTD -- http://mm.glug-bom.org/mailman/listinfo/linuxers
On Tue, Jul 13, 2010 at 10:20 PM, jtd jtd@mtnl.net.in wrote:
But the product vendor choose to hide their head in the sand and served a cease and detest notice.
I guess you meant cease and desist. I'm pretty sure the person already 'detested' the vendor, so a notice would be unnecessary ;)
On Wednesday 14 July 2010 00:49:16 Siddhesh Poyarekar wrote:
On Tue, Jul 13, 2010 at 10:20 PM, jtd jtd@mtnl.net.in wrote:
But the product vendor choose to hide their head in the sand and served a cease and detest notice.
I guess you meant cease and desist. I'm pretty sure the person already 'detested' the vendor, so a notice would be unnecessary ;)
LOL. Yes
On Tuesday 13 July 2010 10:20 PM, jtd wrote:
On Tuesday 13 July 2010 21:38:55 Rony wrote:
On Tuesday 13 July 2010 12:44 PM, Kenneth Gonsalves wrote:
On Tuesday 13 July 2010 07:19:22 Rony wrote:
How much of this is actually true and how easy is it to crack gmail and facebook accounts without the user's machine being involved?
I would suggest you take this discussion offlist. Cracking is criminal activity and that should not be discussed here.
Discussing security issues is not criminal.
Dont be so sure. Cirumvention of preventive measures, aka "hacking" including posting of exploits is a criminal offence.
Recently someone was forced to withdraw a research paper at a conference (in Europe afair) that disclosed a vulnerability. If you disclose a vulnerability quite obviously you have to post an exploit, so that others can verify your tall claims and close the hole. But the product vendor choose to hide their head in the sand and served a cease and detest notice.
I only want to know if it is really possible for some experts to crack gmail and facebook accounts without access to the users' machines. I don't want to know the actual method of the same. I feel that people are just bluffing to create an impression but those who I come across say they know friends who actually demonstrated it on their friends' accounts. Haven't yet come across a cracker otherwise I would have observed him.
-
Anurag -
Arun Khan -
Easwar Hariharan -
jtd -
Kenneth Gonsalves -
Mohan Nayaka -
narendra sisodiya -
Rony -
Saswata Banerjee & Associates -
Shirish Padalkar -
Siddhesh Poyarekar